When users or groups are set in a rule, this rule should not match
attribute with unauthorized request where user and group are nil.
Kubernetes-commit: 9a7acaae1d5015886cc7c3bc46fc3d973045dc2a
Updates https://github.com/kubernetes/kubernetes/issues/48561
This provide a way to omit some stages for each audit policy rule.
For example:
apiVersion: audit.k8s.io/v1beta1
kind: Policy
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles"]
omitStages:
- "RequestReceived"
RequestReceived stage will not be emitted to audit backends with
previous config.
Kubernetes-commit: 47ba91450fbe7d9002bfc9d4a48a73256252821f
policy:
- level: Metadata
resources:
- group: ""
resources ["pods/logs"]
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
The top level resource no longer matches the subresource. For example "pods"
no longer matches requests to the logs subresource on pods.
```release-note
Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources.
```
Kubernetes-commit: 85491f1578b9b97751a332d3b957d874cecf27b3
Cao Shufeng
hzxuzhonghu
Maciej Szulik
Eric Chiang
Tim St. Clair